When you spot a suspicious login, the next ten minutes are about containment. Quick, calm steps limit damage, preserve options for recovery, and reduce stress. Panic sparks poor choices; a short checklist buys you time and gives you leverage. This short guide walks you through a clear 10-minute playbook and explains how Ivy's detection and recovery tools help you act fast and confidently.

The 10-Minute Playbook - Minute by Minute

Minute 0–1: Breathe & document

  • Don't click anything in the suspicious alert. Pause.
  • Screenshot the alert (time, device, IP if shown) and save the alert text or email - this is evidence for platform support and banks.

Minute 1–3: Secure your email (the central step)

  • Change your main email password immediately - this is the core recovery key for most accounts.
  • If you use a password manager, generate a strong new password and paste it from the manager.
  • If you can, sign out of other active sessions from your email's security settings.

Why email first? Many account recoveries route through email. Securing it limits the attacker's ability to take over other accounts.

Minute 3–4: Lock down multi-factor authentication (MFA)

  • Turn on 2FA on email if it's not already on - use an authenticator app (recommended) rather than SMS when possible.
  • If 2FA was the vector (e.g., SIM swap), contact your mobile carrier and consider switching to a virtual phone for non-critical signups. Ivy supports virtual phone workflows for added protection.

Minute 4–6: Stop further spread - passwords & financial checks

  • Change passwords on other critical accounts (banking, social, cloud storage). Prioritize reuse hotspots.
  • If your payment info may be at risk, notify your bank - ask them to monitor for suspicious charges and consider a temporary block. If you use virtual cards, cancel the affected virtual numbers to isolate merchant-level leaks.

Minute 6–8: Scan devices & sessions

  • Run an anti-malware scan on the device used for the suspicious login.
  • On each account (social, banking), check "recent devices / logins" and force logout/removal of unknown devices.

Minute 8–10: Use Ivy's Risk Checkup & breach tools

Run a Risk Checkup to see the immediate exposure across accounts and get prioritized next steps. Ivy's breach detection and password hygiene scoring point to accounts at highest risk and recommend action order - this saves time and reduces uncertainty.

Decision Guide (After 10 Minutes)

  • If the attacker still has access / you can't regain controlContact platform support immediately and follow their account recovery flow. For financial exposure, call your bank.
  • If access regained and no signs of fraudRotate passwords for at-risk accounts, enable 2FA everywhere, and run a Risk Checkup in Ivy to prioritize follow-ups.
  • If you suspect malwareWipe or restore the device after cleaning, and change passwords from a separate, known-good device.

What Ivy Does to Speed Recovery

  • Breach password detection & hygiene scoringTells you which accounts likely used exposed credentials and which passwords are reused - so you change the right ones first.
  • Risk CheckupGives a prioritized playbook so you don't have to guess what to do next (exposure → prioritized next steps).
  • Password manager & virtual phone / cardsHelps you rotate credentials and protect payment/recovery channels with low friction.
  • AI Security Chat (Ask Ivy)For extra help, ask what to do in plain English (e.g., "I got a suspicious login from IP X - what next?"), and Ivy returns an ordered set of steps you can act on now.

Quick Checklist - Actions to Take Now

Keep this list handy for the next time you see an unexpected login alert:

  1. Screenshot the alert.
  2. Change your email password & sign out other sessions.
  3. Turn on / verify 2FA (authenticator app preferred).
  4. Change passwords for bank/social/cloud accounts (prioritize reused passwords).
  5. Scan device for malware & log out unknown sessions.
  6. Run Risk Checkup or breach scan to prioritize remaining fixes.
  7. Contact bank/platform support if financial or persistent access.

If the suspicious login is part of an impersonation attempt - someone using your identity to contact or scam your network - see our Impersonation Response guide for the full document, report, and recovery playbook.

FAQ

How quickly should I expect results from Ivy's Risk Checkup?

Ivy prioritizes the highest-risk exposures first - the goal is to tell you exactly what to fix in the first 30–60 minutes.

Will changing my password lock the attacker out?

Often yes - but check active sessions and MFA settings. Attackers that control a recovery phone or email may retain access unless those vectors are secured too.

Ten Minutes of Calm Prevents Days of Chaos

A suspicious login doesn't have to mean disaster. The 10-minute playbook gives you structure when you need it most - document, secure email, lock MFA, rotate credentials, scan, and use Ivy to prioritize what's left. Calm, ordered steps beat panic every time.

For the broader incident response framework - covering all incident types from detection through week-long recovery, escalation templates, and monitoring automation - see our Incident Detection & Response playbook.

Need a guided recovery? Try Ivy's Risk Checkup at getivy.ai/recover.